There are two things to fix here: Use https for the Google fonts link (https://fonts.googleapis.com/css?family=Whatever) Authorize https://fonts.googleapis.com in style-src directive and https://fonts.gstatic.com in font-src directive: “style-src ‘self’ https://fonts.googleapis.com; font-src ‘self’ https://fonts.gstatic.com”
In a Chrome extension, external script sources must be explicitly allowed by the extension’s content security policy (CSP) in your manifest: If you have a need for some external JavaScript or object resources, you can relax the policy to a limited extent by whitelisting secure origins from which scripts should be accepted… A relaxed policy … Read more
You can turn off the CSP for your entire browser in Firefox by disabling security.csp.enable in the about:config menu. If you do this, you should use an entirely separate browser for testing. For example, install Firefox Developer Edition alongside your normal browser and use that for testing (and not normal Web use). As an alternative, … Read more
Under Chrome’s Settings > Privacy > Content Settings, you have the cookie setting set to “Block sites from setting any data”. This checkbox is what is causing the exception.
You can also relax your CSP for styles by adding style-src ‘self’ ‘unsafe-inline’; “content_security_policy”: “default-src ‘self’ style-src ‘self’ ‘unsafe-inline’;” This will allow you to keep using inline style in your extension. Important note As others have pointed out, this is not recommended, and you should put all your CSS in a dedicated file. See the … Read more
You have said you can only load scripts from your own site (self). You have then tried to load a script from another site (www.google.com) and, because you’ve restricted this, you can’t. That’s the whole point of Content Security Policy (CSP). You can change your first line to: <meta http-equiv=”Content-Security-Policy” content=”default-src *; style-src ‘self’ ‘unsafe-inline’; … Read more
The self answer given by MagngooSasa did the trick, but for anyone else trying to understand the answer, here are a few bit more details: When developing Cordova apps with Visual Studio, I tried to import a remote JavaScript file [located here http://Guess.What.com/MyScript.js], but I have the error mentioned in the title. Here is the … Read more
The nonce attribute lets you to “whitelist” certain inline script and style elements, while avoiding use of the CSP unsafe-inline directive (which would allow all inline script and style), so you still retain the key CSP feature of disallowing inline script/style in general. So the nonce attribute is way to tell browsers the inline contents … Read more
The Content-Security-Policy meta-tag allows you to reduce the risk of XSS attacks by allowing you to define where resources can be loaded from, preventing browsers from loading data from any other locations. This makes it harder for an attacker to inject malicious code into your site. I banged my head against a brick wall trying … Read more
According to the grammar in the CSP spec, you need to specify schemes as scheme:, not just scheme. So, you need to change the image source directive to: img-src ‘self’ data:;